Staying a Step Ahead of Internet Attacks

There's no getting around the fact that targeted attacks, such as spearphishing, will happen. But you can figure out the type of attack to expect next.

"It's difficult to make predictions. Especially about the future," Yogi Berra famously stated. While this may be true for general predictions, I don't believe it's true for Internet security predictions.

By training, I am a cryptographer. In the late '90s, I realized that Internet security wasn't really about cryptography or even how protocols were implemented. Instead, it was about people and their actions. I believed criminals would start circumventing Internet security measures — authentication, in particular — by tricking people, using techniques we now refer to as "phishing." However, no one else at that time seemed to believe that this type of deception would ever be successful.

To prove my point to skeptical colleagues, I set up a series of simulated phishing attacks and found I could easily trick about 10% of the (unwitting) participants to enter their credentials. At that time, phishing was just starting to happen and nobody understood the potential success rates of these attacks. Next, I tried a similar version of the same attack, where I first extracted information about my "victims" to create a more convincing attack. (Today, we refer to this type of targeted attack as spearphishing.) Surprisingly, more than 70% of the participants fell for it.

This led to two key conclusions. First, targeted attacks will happen — especially where there is the potential for financial gain. And second, it is possible to make predictions about these attacks. If one criminal succeeds with a particular type of attack, copycats will soon follow and a trend will emerge. Eventually, toolkits will hit the market, enabling anybody to become a criminal. Take the increasingly popular, targeted business email compromise (BEC) attack as an example, which the FBI estimates grew by 2,370% in less than 24 months.

The important thing isn't whether we can predict a particular type of attack. The point is that by using insights into what constitutes a massive criminal opportunity, as well as what makes people mistakenly place trust in something, we can identify where things are likely to go. Seen from another perspective, by understanding what makes typical users fail we can also understand how attackers will succeed.

Predicting fraud trends isn't only about measuring what end users will fall for, though. It's also about understanding which countermeasures are inherently weak. For example, take antivirus (AV) technology. The predominant approach to detect malware is to use signatures, which are snippets of code and data associated with known malware, and are used to for comparison with incoming executables. If there is a match, the executable is blocked.

Think like a CybercriminalNow, imagine you're a criminal and want to spread malware or cash in on a ransomware campaign. You install some AV products, then try infecting your machine with your malware. If you succeed, your malware is unlikely to be detected when you release it. And if you don't succeed, you tweak the malware — or use a crypter, which is software that compiles the source code together with a random number to create a new obfuscated executable for you — and test again, until you succeed. When AV companies learn of the threat, they add a new signature for your malware. So, you do what you did before — and release your new batch of malware.

The fact that the signature paradigm is central to this process means that criminals will spread malware in small batches, creating new versions every time AV solutions are updated. Subsequently, we can predict they will create new threats in shorter cycles, and use an increasing variety of obfuscation tools. Today, malware is commonly distributed in encrypted attachments, with each new campaign looking different from previous campaigns.

We can also make predictions based on how unwanted emails are most commonly blocked, based on Internet service providers identifying anomalous volume spikes or a commonality of the same unique URL in many malicious emails. This means that criminals will focus on targeted attacks that use personalized URLs or craft attacks without any URLs at all. This criminal trend will continue, because many filtering technologies are based on URL blacklisting.

In addition, I believe we will see further increases in targeting to make attacks more credible; whether using account takeover techniques, social networks, or just publicly available information. As a result, more emails will look "right" to the victim and fewer malicious emails will be reported. This will hamper traditional blacklisting-based methods, which depend on reporting.

The adoption rate of defenses can also be used to more accurately predict the timing of new attack trends, which can be just as important as predicting the types of attacks. Because attackers will use the easiest and most lucrative methods, until an effective countermeasure is widely adopted, we can predict when we need to have the next set of defenses in place to protect against a new attack. For example, the current trends of spearphishing, ransomware, and BEC attacks will continue to grow until more organizations have effective defenses in place. Once these defenses are widely adopted, cybercriminals will move onto more advanced attacks, such as account takeover techniques.

We will see cybercrime through email continue to escalate as traditional countermeasures fail to provide a good defense. However, there is a silver lining: Although the Internet is rife with digital deception, we don't have to wait for bad things to happen to make things better. Instead, we can predict the likely future, and then set about improving our protection. While we cannot predict individual attacks, we can easily determine what types of attacks will be common in the future. Armed with this insight, we can try to build more effective defenses.

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company's security research with a ... View Full Bio

A personalized email is one that uses information about the recipient to make it more credible. In other words, a targeted attack.

And an email without a URL ... simply what it says. Many malicious emails have hyperlinks going to malicious webpages, or malicious attachments. Some have neither. Business Email Compromise (BEC) emails are in this important category. This is a growing problem (https://www.ic3.gov/media/2017/170504.aspx) and is harder to detect by many security services than emails with malicious URLs or attachments.

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.